How to Secure Your Laravel Application

Nowadays, the tools we use to browse the internet require us to follow security standards. Otherwise, they tend to flag our web applications/sites as insecure.

This can be very stressful.

I myself have been struggling with this situation for some time on every Laravel application I have built.

Below is an overview of the steps that you can take to make sure your Laravel application is always secure (and with HTTPS).

STEP 1

First, you need to purchase an SSL certificate from your desired hosting provider or certificate authority.

After you have purchased your desired SSL certificate, move to install it to your server and follow the processes below to make sure your Laravel application always points to https.

Force HTTPS With Middleware

To force redirect a HTTP URL to HTTPS you can use middleware to handle the redirect. This is just a simple solution and doesn’t require a change to the server.

You can make the middleware by running “PHP artisan make:middleware HttpsMiddleware”

and it will generate a file similar to the one below (or just copy and paste this file in app/Http/Middleware/HttpsMiddleware.php).

This will check if the request is secure, if it is not secure, it will redirect the user to the secure/HTTPS URL.

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\App;

class HttpsMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if (!$request->secure() && app()->environment('production')) {
            return redirect()->secure($request->getRequestUri());
        }

        return $next($request);
    }
}

Then in your Kernel which is found on (app/Http/Kernel.php) you can place the created middleware in the web group, which is applied to every request to your Laravel application.

See below:

protected $middlewareGroups = [
    'web' => [
       \App\Http\Middleware\EncryptCookies::class,

       \Illuminate\Routing\Middleware\SubstituteBindings::class,
       \App\Http\Middleware\HttpsMiddleware::class
    ],

    'api' => [
        'throttle:60,1',
    ],
];

Force HTTPS with Nginx

Change Nginx server configuration to the following:

server {
    listen 80;
    listen [::]:80;
    server_name yoursite.com www.yoursite.com; 
    return 301 https://yoursite.com$request_uri;
}

What this does is listen on port 80 (HTTP traffic) and redirect all traffic to example.com & www.yoursite.com to the new HTTPS-URL, yoursite.com/*.

Based on the $request_uri parameter, Nginx will redirect the user to its original URL but then the HTTPS version.

Force HTTPS with .htaccess (Most Common)

You can also force HTTPS on the .htaccess file it’s possible to redirect all your HTTP requests to HTTPS. It’s just a few lines of code, that will check if the request is not HTTPS, if so, it will be redirected to the HTTPS version of your application.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Before you go… Thanks for reading the article! If you enjoyed it, please don’t forget to show your appreciation by clicking 👏 below! Any questions or comments hit me up on:

Mail: epmnzava@gmail.com

Twitter: https://twitter.com/epmnzava

Github: https://github.com/dbrax

Also published here.